FortiWeb Cloud can protect against cookie poisoning and other cookie-based attacks. When Cookie Security module is added FortiWeb Cloud signs all cookies by default.
- Go to SECURITY RULES > Cookie Security.
You must have already enabled this module in Add Modules. See How to add or remove a module.
- Configure these settings.
Cookie Replay Protection
Enable to select whether FortiWeb Cloud uses the IP address of a request to determine the owner of the cookie and protect against replay attacks.
Set Max Cookie Age
Enter the maximum age (in minutes) permitted for cookies that do not have an “Expires” or “Max-Age” attribute.
To configure no expiry age for cookies, enter
- None—FortiWeb Cloud does not apply cookie tampering protection or encrypt cookie values.
Signed—Prevents tampering (cookie poisoning) by tracking the cookie value.
When FortiWeb Cloud receives the first HTTP or HTTPS request from a client, it uses a cookie to track the session. When you select this option, the session-tracking cookie includes a hash value that FortiWeb Cloud uses to detect tampering with the cookie from the backend server response. If FortiWeb Cloud determines the cookie from the client has changed, it takes related action.
Encrypted—Encrypts cookie values the back-end web server sends to clients. Clients see only encrypted cookies. FortiWeb Cloud decrypts cookies submitted by clients before it sends them to the back-end server.
Set Secure Cookie
Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page.
Set HTTP Only Cookie
Enable to add the "HTTP Only" flag to cookies, which prevents client-side scripts from accessing the cookie.
Allow Suspicious Cookies
Select whether FortiWeb Cloud allows requests that contain cookies that it does not recognize or that are missing cookies.
In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives.
To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.
- Never—FortiWeb Cloud does not take the action specified against suspicious cookies.
- Always—FortiWeb Cloud always takes the specified action against suspicious cookies.
- Custom— FortiWeb Cloud takes the specified action against suspicious cookies starting on the date specified by Don't Block Until.
Don't Block Until
If Allow Suspicious Cookies is Custom, enter the date on which FortiWeb Cloud starts to take the specified action against suspicious cookies.
If you want to specify cookies that are exempted from the cookie security policy, click to add cookie names.
- Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
To configure the actions, you must first enable the Advanced Configuration in Global > Settings.
Accept the request and generate a log message.
Alert & Deny
Block the request (or reset the connection) and generate a log message.
Block the request (or reset the connection) but do not generate log messages.
Accept the request, but remove the cookie from the datagram before it reaches the web server, and generate a log message.
- Click SAVE.